One of my long time pet peeves with how we PMC members participate in vetting releases is our penchant for focusing too much on the policies surrounding license and notice info. I really think our exclusive focus on things that really don't pose any organizational risk to either the org nor the project participants serves us well in our other, often unexpressed but far more relevant, goals about encouraging committers to participate in active review of their project's commit activity.
Just think about this for a second, what's more likely for people to start suing us over, some bug in the NOTICE file or an undetected backdoor in one of our programs? I am personally far more concerned about the current state of the actual review going on in our podlings than I am about NOTICE minutia. Maybe we should compile some list of which committers are actually subscribed to their project's commit lists? It's crude but it may be useful data to look at to a first order.